GPO - User Configuration Does NOT Apply

[Guest]

Hi,

I have a problem with User Configuration not applying to Users.
I have only one policy. It is created at domain level and same policy is
linked to TEST OU witch contains all test users. All test users are members
of test_group. In GPO properties on security tab test_group Read and Apply
Policy status are checked.
Once user log in user policy is not applied. I checked log and got next
messages.

Event ID: 1101
Source: UserEnv
Descriprion: Windows cannot access the the object
OU=TEST,DC=testdomain,DC=ca in Active Directory. The access to the object may
be denied. Group Policy processing aborted.

In Group Policy Result for user there is a message under
Denied GPOs
Name: LocalGroupPolicy - test_policy (DEFAULT)
Link Location: Local - testdomain.ca
Reason Denied: Empty - Access Denied(Security Filtering)


When I am logged in as user I can browse \\server\sysvol content without
problem. Every user have read settings for their OU (TEST) enabled.

If you give administrators privileges to regular user, user policy applies.
I do not have idea whats going on.

Server is W2K with SP4.

 

[Mark Renoden [MSFT]]

Hi

First up, I wouldn't have the policy linked at the domain and OU level.
This will cause it to be evaluated twice. Secondly, it looks like a problem
with the permissions on the Test OU as an AD object. My suggestion for the
simplest fix would be to move the users to another location, delete the OU
and re-create the OU. Link the policy at this level and leave all of the
default permissions to get a baseline understanding of whether it's working.
Once it is, start tightening the security filtering as you need it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for reply, but this is not case. I tried as you said but nothing
happens, same errors same problem.

Hi

First up, I wouldn't have the policy linked at the domain and OU level.
This will cause it to be evaluated twice. Secondly, it looks like a problem
with the permissions on the Test OU as an AD object. My suggestion for the
simplest fix would be to move the users to another location, delete the OU
and re-create the OU. Link the policy at this level and leave all of the
default permissions to get a baseline understanding of whether it's working.
Once it is, start tightening the security filtering as you need it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,

I have a problem with User Configuration not applying to Users.
I have only one policy. It is created at domain level and same policy is
linked to TEST OU witch contains all test users. All test users are
members
of test_group. In GPO properties on security tab test_group Read and Apply
Policy status are checked.
Once user log in user policy is not applied. I checked log and got next
messages.

Event ID: 1101
Source: UserEnv
Descriprion: Windows cannot access the the object
OU=TEST,DC=testdomain,DC=ca in Active Directory. The access to the object
may
be denied. Group Policy processing aborted.

In Group Policy Result for user there is a message under
Denied GPOs
Name: LocalGroupPolicy - test_policy (DEFAULT)
Link Location: Local - testdomain.ca
Reason Denied: Empty - Access Denied(Security Filtering)


When I am logged in as user I can browse \\server\sysvol content without
problem. Every user have read settings for their OU (TEST) enabled.

If you give administrators privileges to regular user, user policy
applies.
I do not have idea whats going on.

Server is W2K with SP4.

 

[Mark Renoden [MSFT]]

Hi again

What happens if you:

1. create a new OU directly under the domain
2. move all the servers here and have no GPO's linked to the OU
3. unlink the GPO from the domain leaving only the Default Domain Policy
linked at this level.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for reply, but this is not case. I tried as you said but nothing
happens, same errors same problem.

Hi

First up, I wouldn't have the policy linked at the domain and OU level.
This will cause it to be evaluated twice. Secondly, it looks like a
problem
with the permissions on the Test OU as an AD object. My suggestion for
the
simplest fix would be to move the users to another location, delete the
OU
and re-create the OU. Link the policy at this level and leave all of the
default permissions to get a baseline understanding of whether it's
working.
Once it is, start tightening the security filtering as you need it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi,

I have a problem with User Configuration not applying to Users.
I have only one policy. It is created at domain level and same policy
is
linked to TEST OU witch contains all test users. All test users are
members
of test_group. In GPO properties on security tab test_group Read and
Apply
Policy status are checked.
Once user log in user policy is not applied. I checked log and got next
messages.

Event ID: 1101
Source: UserEnv
Descriprion: Windows cannot access the the object
OU=TEST,DC=testdomain,DC=ca in Active Directory. The access to the
object
may
be denied. Group Policy processing aborted.

In Group Policy Result for user there is a message under
Denied GPOs
Name: LocalGroupPolicy - test_policy (DEFAULT)
Link Location: Local - testdomain.ca
Reason Denied: Empty - Access Denied(Security Filtering)


When I am logged in as user I can browse \\server\sysvol content
without
problem. Every user have read settings for their OU (TEST) enabled.

If you give administrators privileges to regular user, user policy
applies.
I do not have idea whats going on.

Server is W2K with SP4.